1 2014 ACC-SoCal In-House Counsel Conference #IHCC14 January 29, 2014 Anaheim, California Sponsored by Crowell & Moring LLP Panelists: Jeffrey L. Poston,

12014 ACC-SoCal In-House Counsel Conference #IHCC14

January 29, 2014Anaheim, California

Sponsored by Crowell & Moring LLP

Panelists: Jeffrey L. Poston, Partner Jennifer S. Romano, Partner

How To Manage A Data Breach (“Incident”) Crisis

090701_2 2

#IHCC142014 ACC-SoCal In-House Counsel Conference

090701_3 3


Typical Breach Costs $Millions

Forensics

Outside Counsel

Credit Monitoring

Security and Technology Upgrades

Fines

Settlements

Damages

Opportunity Costs

090701_4 4


What Is At Risk?

Protected Health Information (“PHI”)– Health status, treatment or payment

– Identifiers (name, SSNs) and health information

– Does not apply to “de-identified data”

– Personal Information (broader category under state law)

Personally Identifiable Information (“PII”) Generally defined as combination of first and last name PLUS any one

of the following:

– SSN

– Drivers License No.

– Account No.

– Credit Card No.

– Medical Information

Trade Secrets Mayhem/Tort Liability

090701_5 5


CYBER THREATS

Cyber Threats

090701_6 6


Cyber Threats

Trade Secrets PII

090701_7 7


The Threat: What’s Out There?(cont’d)

Cyber Criminals

– Ties to organized crime

– International in nature (particularly Eastern Europe and the former Soviet Union)

– Selling stolen data:PHI/PIITrade secrets

090701_8 8


How Do They Get It? Common Techniques

Spear Phishing– Targeted

– Appear to be authentic emails, with attachments or links containing malware

Malware– Either via email or websites, can give hackers a

“back door” into your network

Distributed Denial of Service (DDoS) Attacks– Often accompanied by fraud

090701_9 9


Corrupt Employees

Paid to steal personal information (SSNs, credit card numbers)

The MOB/Eastern Europeans

Often low tech theft - hard copies

Provide PII to identify theft rings– Fake IDs/credit cards made

– Lines of credit opened at stores

– Prescriptions

090701_10 10


Corrupt Employees (cont’d)

In past six months– Employees steal PI from dental practice, insurer

and rental car company

– Nurse’s Aid indicted in Va. – stealing PI for tax fraud

– Stolen Porsche traced to home where $2.5 million credit card operation discovered

090701_11 11


Target and Neiman Marcus Data Breaches

Type of Breach– Target: outside hacker; likely used RAM scraper

(memory scraping malware), along with other toolsNeiman Marcus: outside hacker– details not disclosed

How many Affected– Target: up to 70 million individuals; 40 million credit

and debit card accounts

– Neiman Marcus: numbers unknown but data reportedly includes credit and debit card numbers, customer names, contact information

090701_12 12


Target and Neiman Marcus Data Breaches (cont’d)

Litigation & Enforcement actions– Target: 40+ class actions, punitive damages

requested; State AG (MA, NY, IL, PA, others) investigations; Senate briefing requests

– Neiman Marcus: likely same as for Target

090701_13 13


HOW TO MANAGE CRISIS WHEN PII COMPROMISEDHow To Manage Crisis When PII Compromised

090701_14 14


1. Do Not Sweep Under the Rug– Will come back to haunt you– Public somewhat sensitized to breaches– Will not tolerate cover-up – cover up

worse than crime– If data missing, beware the “no harm, no

foul” position– Subsequent discovery

Identity theft Whistleblowers Litigation Discovery/Audit

How To Manage Crisis When PII Compromised (cont’d)

090701_15 15



2. Be Prepared– Breach Response Plan

GC’s OfficePrivacy OfficeITOutside CounselForensics FirmMedia RelationsDry RunsTraining/Policies to Ensure Incident Reported Up

the Chain

090701_16 16



3. Involve In-House/Outside Counsel Immediately– Can assert privilege to maximum extent possible

– Assert privilege over outside consultants

– Use counsel to conduct employee interviews

– Assess claims/positions vs. vendor

– Assess need for law enforcement

– Strategize for long-run -- investigation through class actions

– Don’t want an early false step to jeopardize a defense or position 2 years down the road

090701_17 17



4. Investigate– Privilege– Forensics– What data?

PHI PI SSN Credit Card Info

– Whose data? What states involved? Minors Involved?

– What systems?– How accessible is missing data if in wrong hands?– Access to vendors

JDA

090701_18 18



5. Mitigate/Remediate– Can you track and recover lost data?

– Can you verify that data not accessed?

– If technical cause, can it be fixed?

– First 24-48 hours critical

– Can’t presume missing data has not been improperly accessed

090701_19 19


How To Manage Crisis When PII Compromised (cont’d)Mitigate/Remediate (cont’d)

– Cyber Breach Can you identify type of infiltration and impact? Can you show forensically that data not accessed? Can you determine if data exfiltrated? Typically, can at least determine what was accessible In case of lost laptop, can usually determine what data

it contained

090701_20 20


– Corrupt Employee Can you track extent of employee’s access? If so, is there a definable group to be notified? If not, must you notify entire population? How widespread is the incident?

Documents discovered in several states Is law enforcement involved?

Can scope of incident be determined through criminal process?

How To Manage Crisis When PII Compromised (cont’d)Mitigate/Remediate (cont’d)

090701_21 21



6. Notification Issues – OCR/HIPAA – HI-TECH

– FTC

– State Breach Notification Laws States plus D.C., Puerto Rico and Virgin Islands 46 different standards some involving “risk of

harm” AGs have enforcement authority Timing: “in the most expedient time possible,”

“without unreasonable delay” If required to notify in some states, notify in all

states

090701_22 22


How To Manage Crisis When PII Compromised (cont’d)Notification Issues (cont’d)

– Who notifies – company or vendor?

– Don’t sugarcoat notification letter

– What do you do if you cannot determine extent of incident? Notify everyone? Notify no one?

090701_23 23



7. Here Come the Regulators– AGs and FTC

– Be proactive with regulators

– Establish relationship/bring them in the loop

– You don’t want them to find out about this second hand

– Beware of turf wars within a state

– Make sure they know that situation is fluid and you will update them

090701_24 24



8. Involve Corporate Communications– States require certain content in notification letters

– Media statement should be consistent with notification letters and call center talking

points

– Inconsistent message will confuse members and embolden Plaintiffs’ attorneys

– AGs may use loose language against you

– Have talking points ready to go prior to notification

090701_25 25


Third Party Vendor

Joint Defense Agreement

Who is notifying members?

Liability for Vendor Conduct

Need to think ahead to class litigation

Need to understand scope of indemnity– Timing of claim

– Tolling Agreement

If ultimate position is common - e.g. class suffered no injury, then need united front in public while deferring any fight with Vendor

090701_26 26


Insurance Issues

Report incident to commence/preserve claim

What kind of policy?

– All Risk

– CGL

– Standalone Cyber Policy

090701_27 27


CGL Policies

Traditional CGL?– Physical loss

– Tangible property

– Personal and advertising injury

Hacking and data breaches not contemplated when standard CGL policies first written

Exclusions for privacy-related action e.g., TCPA claims are getting tighter and more explicit

ISO filed endorsements to become effective 5/14 that excludes claims regarding access/disclosure of confidential PI or data – related liability

090701_28 28


Insurers Contesting Data Breach Coverage Under CGL

Liberty Mutual v. Schuck’s Markets, Inc. (E.D. Mo., August 14, 2013): Liberty Mutual contested coverage under a general liability policy, for losses due to a data breach claiming suits resulting from the breach do not allege bodily injury or property damage. Liberty also contends that the “expected or intended” exclusion precludes coverage (based on Schuck’s delay in reporting the breach).

090701_29 29



OneBeacon America Ins. Co. v. Urban Outfitters, Inc. & Anthropologie (E.D. Pa. September 10, 2013): –Class actions have been filed against Urban

Outfitters & Anthropologie, alleging that the stores violated the Credit Card Act by asking customers for their zip codes during credit card transactions as a marketing ploy; –OneBeacon alleges that the underlying

complaints do not amount to an advertising injury under the comprehensive general liability policy at issue.

090701_30 30



Zurich American Ins. Co. v. Sony Corp. of America, et. al. (N.Y. Sup. Ct., 7/20/11) Zurich refuses to pay for costs associated with Play Station breach and 55 class actions under CGL because no bodily injury, property damage or personal and advertising injury.

090701_31 31



Hartford Casualty Insurance Company v. Corcino & Associates et al (C.D. Cal 10/7/13) court grants MTD ruling that CGL policy covers indemnity of claims under California Confidentiality of Medical Information Act (“CCMIA”) in spite of exclusion disclaiming coverage arising from a right of privacy “created by state or federal act”

090701_32 32


Coverage from territory restrictions

Losses from “named viruses”

Failure to take reasonable security measures

Blogs

Hostilities and warlike operations

Cyber Risk Policies: Common Exclusions

090701_33 33


Emerging Litigation Issues

Typical Claims

– Negligence

– Breach of Contract

– Unfair Trade Practices

– Breach of Privacy

– State Statutes e.g. CMIA

Threshold issues

– Standing to sue (Federal Court)

– Actual injury or harm (common law claims)

090701_34 34


Emerging Litigation Issues (cont’d)

Class Certification Issues– Rare (dismissal or settlement)– Claims often turn on individualized issues or

causation and damages– Thus common questions of law and facts do not

predominate over questions affecting individual members

Damages– Aggregate exposure to nominal damages– Due process violation?

34

090701_35 35


TYPICAL SETTLEMENTS

Non-monetary relief (e.g., credit monitoring)

Monetary payments to privacy non profits (e.g., Privacy Rights Clearinghouse)

Consent decree requiring security improvements

Attorneys fees to Plaintiffs’ counsel

Capped individual payments to Plaintiffs who can prove causation

35

090701_36 36


The threat is real - be prepared with a breach response plan

Take action -- don't sweep it under the rug

Involve counsel at the outset

Investigate thoroughly

Coordinate with all internal stakeholders

Significant Take-Away Points